If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Defending against WPS attacks

After some research and field testing, it's become pretty obvious that WPS is the most dangerous threat to Wi-Fi security, for APs with WPS enabled.

The most obvious solution is to simply disable WPS. But some routers, most notably Linksys models, don't allow someone to fully disable it.

Another obvious solution is for vendors to lock down WPS in the firmware. For example, locking WPS for 30 minutes after 10 incorrect PIN attempts, then 60 minutes after another 10, then locking it permanently after another 10. Even just locking WPS for 30 minute intervals after 10 attempts would render most bruteforces impractical. The Netgear WNDR3800 I just pentested does lock WPS ... for five minutes, after about 25 incorrect attempts. With tweaked Reaver settings, I cracked it in under 24 hours at about 16 seconds per PIN.

I just read that Kismet can now detect a flood of WPS traffic, indicating a WPS attack. That's great! But, what can someone do once they've detected an attack? Other than heatmapping the signal from the offending MAC address and attempting to locate the device, is there anything anyone can do to stop an attack in progress, other than take the vulnerable AP offline?

Re: Defending against WPS attacks

Well from my point of view, when you start a WPS Attack you usually associate with the AP, what if you use MAC Filtering? I know that its not a strong protection but you can give a lot more trouble to the attacker for him to wait for a legit MAC. Just an idea though

Re: Defending against WPS attacks

Sure, good point.

In the event that, say, I'm running Kismet and pick up a WPS attack coming from a spoofed MAC 00:11:22:33:44:55, what can I do to stop the attack? Is there a way to deny service to that MAC, or do anything else short of physically locating and disabling the attacker?

Re: Defending against WPS attacks

I guess the only thing you can do is Filter the address 00:11:22:33:44:55 and block its access. But it would change to another, again and again. So allowing only those computers that you want and block the rest would be more efficient

Re: Defending against WPS attacks

Uh well, to defend against WPS attacks... Why not deactivating the WPS service ? It can be done on most routers, and will get rid of that problem. As for the mac filtering, you block everything but the authorized ones, and that should do it if you want to keep the WPS active. Note that spoofing an authorized MAC is easy as pie though..

Re: Defending against WPS attacks

Originally Posted by comaX

Uh well, to defend against WPS attacks... Why not deactivating the WPS service ? It can be done on most routers, and will get rid of that problem. As for the mac filtering, you block everything but the authorized ones, and that should do it if you want to keep the WPS active. Note that spoofing an authorized MAC is easy as pie though..

thanks for the input. I did mention disabling WPS is the obvious solution in my OP, I was just curious if there was anything else available to a defender, assuming their router cannot disable WPS (which is the case with a surprising number, sadly).

Re: Defending against WPS attacks

Originally Posted by ternarybit

thanks for the input. I did mention disabling WPS is the obvious solution in my OP, I was just curious if there was anything else available to a defender, assuming their router cannot disable WPS (which is the case with a surprising number, sadly).